Professional Documents
Culture Documents
Security and User Management: DN09106695 Issue 3-1
Security and User Management: DN09106695 Issue 3-1
Security and User Management: DN09106695 Issue 3-1
The information in this document applies solely to the hardware/software product (“Product”) specified
herein, and only as specified herein.
This document is intended for use by Nokia Solutions and Networks' customers (“You”) only, and it may not
be used except for the purposes defined in the agreement between You and Nokia Solutions and Networks
(“Agreement”) under which this document is distributed. No part of this document may be used, copied,
reproduced, modified or transmitted in any form or means without the prior written permission of Nokia
Solutions and Networks. If you have not entered into an Agreement applicable to the Product, or if that
Agreement has expired or has been terminated, You may not use this document in any manner and You
are obliged to return it to Nokia Solutions and Networks and destroy or delete any copies thereof.
The document has been prepared to be used by professional and properly trained personnel, and You
assume full responsibility when using it. Nokia Solutions and Networks welcome Your comments as part of
the process of continuous development and improvement of the documentation.
This document and its contents are provided as a convenience to You. Any information or statements
concerning the suitability, capacity, fitness for purpose or performance of the Product are given solely on
an “as is” and “as available” basis in this document, and Nokia Solutions and Networks reserves the right
to change any such information and statements without notice. Nokia Solutions and Networks has made all
reasonable efforts to ensure that the content of this document is adequate and free of material errors and
omissions, and Nokia Solutions and Networks will correct errors that You identify in this document. But,
Nokia Solutions and Networks' total liability for any errors in the document is strictly limited to the correction
of such error(s). Nokia Solutions and Networks does not warrant that the use of the software in the Product
will be uninterrupted or error-free.
NO WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, TITLE, NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, IS MADE IN RELATION TO THE
CONTENT OF THIS DOCUMENT. IN NO EVENT WILL NOKIA SOLUTIONS AND NETWORKS BE
LIABLE FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF
PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA THAT MAY
ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT, EVEN IN THE CASE OF
ERRORS IN OR OMISSIONS FROM THIS DOCUMENT OR ITS CONTENT.
This document is Nokia Solutions and Networks’ proprietary and confidential information, which may not be
distributed or disclosed to any third parties without the prior written consent of Nokia Solutions and
Networks.
Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document
may be trademarks of their respective owners, and they are mentioned for identification purposes only.
Only trained and qualified personnel may install, operate, maintain or otherwise handle this
product and only after having carefully read the safety information applicable to this product.
The safety information is provided in the Safety Information section in the “Legal, Safety and
Environmental Information” part of this document or documentation set.
Nokia Solutions and Networks is continually striving to reduce the adverse environmental effects of its
products and services. We would like to encourage you as our customers and users to join us in working
towards a cleaner, safer environment. Please recycle product packaging and follow the recommendations
for power use and proper disposal of our products and their components.
If you should have questions regarding our Environmental Policy or any of the environmental services we
offer, please contact us at Nokia Solutions and Networks for any additional information.
Table of Contents
This document has 66 pages
List of Figures
Figure 1 Average user rights............................................................................ 15
Figure 2 Low user rights................................................................................... 16
Figure 3 Critical commands with high authority requirement............................16
Figure 4 Choose XML file................................................................................. 41
Figure 5 Set <protocol> element value to "https"............................................. 42
Figure 6 Activate XML file.................................................................................43
Figure 7 Configuring network element IPSec with IKE pre-shared key-based
VPN authentication.............................................................................49
List of Tables
Table 1 MML command authority categories.................................................. 12
Table 2 MMI system security hardening recommendations............................ 17
Table 3 Network security -related hardening recommendations..................... 27
Summary of changes
Changes between document issues are cumulative. Therefore, the latest document
issue contains all changes made to previous issues.
1.1 Authentication
1.1.1 MMI system users
Local users
The user accounts of local users are defined in each network element separately, and
the users can log in only to those network elements in which they have a user account.
A local user must have an MMI user profile and can additionally have a network user
profile or an HTTP profile. The profile defines the user's authority to execute MML
commands.
A local user who has admin rights to command IAH can add other users to the network
element.
If Feature 31390: Password Policy is used in the network element, a password policy
can be defined and attached to a user profile. The requirements set in the password
policy are activated when the user changes a password attached to that user profile.
In addition, it can be determined that the system checks the history of every new
password the user is creating. This way, the user can be prevented from re-creating a
password that has been recently used in the network element.
If Feature 31391: User Account Policy is used in the network element, it can be defined
that what kinds of formal requirements the local user account must fulfill.
Centralized users
A centralized user has authentication and authorization details defined in a centralized
LDAP server in the Network Management System (NMS) NetAct.
Network element centralized users are related to the Centralized User Authentication
and Authorization (CUAA) solution in NetAct. CUAA functionalities contain an LDAP
client interface in the OMU functional unit. The LDAP client interface is used to obtain
authentication and authorization details from the CUAA LDAP server when the CUAA is
enabled in the network element.
The user accounts are stored to the LDAP server. Each user is given an access list
defining which network elements the user can log into.
An LDAP client can be configured in the network element, if the following requirements
are met:
The address of the LDAP directory must be defined before centralized user accounts can
be used.
Information management over a remote connection requires the XML over HTTP
interface or the NWI3 interface. A centralized user who has administrator rights to
command IAH can add local users to the network element.
Network users
Network users are users who need to operate the system remotely from the NetAct over
connection.
A network user needs an MMI user account to be able to log in to the network element.
The user account consists of a local user ID and user profile, which defines the
appropriate user rights.
Super users
A super user profile has authority 251 in one or more command classes. The profile
lends the user un-restricted rights to execute commands in those command classes to
which special authority is granted. The special authority bypasses command blocking,
MML command authorization, and the authority restriction of the MML terminal. The
super user profile can be attached to an MMI user ID or to an MML terminal.
1.1.3 Passwords
When creating passwords, the following principles have to be taken into account:
The purpose of case-sensitivity and the possibility to use a large amount of different
characters in the password is to increase system security and it is recommended to take
full advantage of both.
When creating, storing and using passwords, follow the common recommendations and
your company's security policy.
Validity time
In the VTIME parameter of command IAA, you can define how long a password is valid.
The value range is from 1 to 250 days.
If the value is 0, the password has to be changed at every login.
If the value is FOREVER, the password does not have an expiration date. Use this value
only in NetAct connections.
Encryption
Passwords are not stored to the MMI system in plaintext format. Only a hash value of
each password is stored to the MMI system. It is enough for the system to conclude, if
the password values given in O&M user logins match with the hash values in the MMI
system O&M user account book-keeping.
Hash values of passwords are calculated with the International Data Encryption
Algorithm (IDEA) encryption algorithm which uses the Davies-Meyer method. The
method provides one-way encrypted result to make it impossible to resolve the actual
password values from one-way encrypted results (hash values).
The password encryption keys are generated by the system and they are not visible to
users. You can only print out a list of reserved indexes, and change an existing index.
The one-way encryption method is not supported by all older systems. Therefore, it is
advisable to create parallel passwords for those users who need to establish remote
connections to a system which does not support the one-way encryption method.
Parallel passwords
The purpose of parallel passwords is to allow local users an access to systems which do
not recognize passwords that have been encrypted with the one-way encryption method.
When a user with two passwords logs in locally, the system checks both passwords, and
does not request the user accounts again when the user opens a remote session.
You can create parallel passwords in the PARAPW parameter of command IAA. The
parameters have to be completely separate (two different digit sequences) and both
have a validity time of their own.
If a user's new-type password has expired but the old-type password is still valid, the
user can log in locally and change the expired password. Other local operations cannot
be executed using the old-type password.
If a user's old-type password has expired but the new-type password is valid, the user
can open a remote session from a network element of an older system level to one of a
newer system level and change the expired password. Other operations cannot be
executed in the remote session using the new-type password.
Password policy
A password policy states what kinds of formal requirements a password must fulfill. In
the password policy, you can define:
• Whether the user ID as such or written from back to front can be used as a substring
in the password.
• Whether the forbidden password list must be checked.
• That the password history is checked before certain MML commands are executed.
• That the password policy is checked before certain MML commands are executed.
• 044:0001 FIRST_MMI_LOGIN_DELAY
defines the length of the first delay.
• 044:0002 MAX_MMI_LOGIN_DELAY
defines the maximum length of the delay.
• 044:0003 OVERFLOW_LOGIN_DELAY
defines the length of the delay in those Telnet connections to which unique delay
cannot be applied.
You can check and change the values of these parameters with the commands of
command group WO. For information about the commands, see the Parameter Handling
MML command reference manual.
Group 3 Commands that are used to change the state of the 150
system to a fairly limited extent.
For example, commands for managing subscribers
and services.
You can check the command authority of a command group with command IAT and
change it with command IAM. For examples, see MMI System Authority Handling MML
command reference manual.
t The default authority requirements defined in the software package can be considered
a general recommendation given by the network element manufacturer, but the network
operators have to evaluate the MMI system accessibility from the point of view of their
own network’s operability.
As a rule of thumb, access to sensitive data and to commands that are critical from the
point of view of system security and operability (command authority 200 or higher)
should be limited to system administrators who are servicing the network element.
Also, access to command groups with which online call monitoring (lawful interception)
is handled should be restricted to a specific number of users accountable for operation
in this area.
• Attaching the terminal to another profile, which has the required authority (with
command IAE).
• Creating a new profile with required authority and attaching the terminal to it (with
commands IAA and IAE).
• Updating the profile currently attached to the terminal (with command IAA).
• When a service terminal session is started from a terminal, the user ID and password
are requested.
• When a session is started from an MMI session, the user ID and password are not
requested, because the authentication and authorization details from the MMI
session are already applied for the user.
In addition to the user account having authority to execute command DDS, a service
terminal session can also be started with a fixed user name and password. This method
can be applied in a fault situation when the MMI system implementation is unable to
provide authentication and authorization for an individual functional unit.
• The fixed user name can be applied only from the local management serial port. The
system prevents service terminal logins to the functional unit with the fixed user
name as long as the MMI system is able to serve the functional unit (via network
element internal message bus).
• The password is configurable for operators.
t For security reasons, it is recommended that the default authority of command group
DD is not decreased from the default 250.
The fixed user name and its password are intended only for administrator users and it is
recommended to change the password regularly.
The use of service terminal commands should be limited to testing, fault detection, and
specific tasks in the commissioning phase.
If the user’s authority is set so low that it prevents access to an entire command class,
the user cannot see the command groups that belong to the command class, either.
Figure 2: Low user rights illustrates a case where a user’s rights are so low that the
execution of all commands is prevented.
251
250
Command 200
authority
requirement
150
100
50
Userrights 1
Commandgroup R R R R
Command O M T I
Figure 3: Critical commands with high authority requirement illustrates a case where
access to the more critical commands has been limited to a small number of
administrator users by keeping the authority requirement of these commands higher than
the average users’ authorities.
1. Divide the users of the network element into user groups according to their tasks,
and create a dedicated MMI profile for each group:
• Separate, for example, system administrator-type of users who are servicing or
maintaining the network element from users managing individual functionalities.
• Specify the MML command authority in each MMI profile according to the tasks
each user group need to be authorized. See Table 2: MMI system security
hardening recommendations for examples of user groups.
Table 2 MMI system security hardening recommendations
System administrators These are users who service and manage the network element.
They need fairly high authority in command classes which are used to handle
software packages and the basic functionality of the system.
For example:
Authority in other command classes (for example call control) can be low.
Operator users Operator users need adequate rights for managing functionality (for example the
call control interface) and MMI user accounts.
These profiles separate
function management from, Operator users need high authority only in those command classes with which
for example, system functionality is handled.
administration.
Authority in system administration-related command classes can be kept low,
preventing authority for example to service terminal sessions.
Also SFT/SFTP authority can be defined as NO for these profiles, to prevent
operator users from accessing the file system.
Governmental authority Governmental authority users need high authority in command class V (LAWFUL
INTERCEPTION HANDLING) to be able to carry out tasks related to Lawful
These profiles separate
interception and OLCM.
governmental authorities
from operator users. Authority in other command classes can be kept low.
FTP/SFTP authority can be defined as NO, to prevent these users from accessing
the file system.
FTP/SFTP READ operations These profiles are needed, if the network element has charging functionalities
(CHU units) or an audit trail log transfer interface from the OMU units towards the
NMS.
These users do not need authority to execute any other MML commands; only the
FTP/SFTP READ authority needs to be enabled for them.
EMT interface This profile is needed, if the network element has an interface towards the NMS
NEMU element.
This profile does not need authority in any MML command class, and also the
FTP/SFTP authority can be defined as NO.
For this profile, it is sufficient that an MMI user account exists in the network
element for logging in to the EMT, but authority settings of the profile can be kept to
the minimum.
t All remote connections to the MMI system are routed through the virtual terminal (VTP).
If the VTP has a super terminal profile, all remotely connected users who log in through
Telnet/SSH get super user rights as the terminal authority 251 runs over their profile-
defined user rights.
If super terminal rights are needed, add the super terminal profile only to the VDUs.
9. Make sure that all users are aware of the company's security policy.
g Information of remote and local user accounts cannot be separated in the command
log. Centralized users have their own profile object for the MML log in the centralized
profile.
The rights to access the MML command log are defined when creating a user profile.
They can be:
LIMITED The owners of the profile can read only their own MML
command log records.
MEDIUM The owners of the profile can read their own command log
records and all other users’ public MML command log
records.
COMPLETE The owners of the profile can read all MML command log
records.
You can change the MML command log access with command IAA. For examples, see
the command description in the command reference manual of MMI System Authority
Handling.
Every MML command has a visibility attribute, which determines whether the command
can be printed out from the MML command log. The visibility can be:
PRIVATE only those users who have complete access rights to the
MML command log can print out the command from the
log.
There is one exception: users with only limited or medium
access to the command log can view the commands which
they themselves have executed, even if the visibility of the
commands were PRIVATE.
The visibility of an MML command is PUBLIC by default. You can change the visibility
with the IAM command. For examples, see the command description in the command
reference manual of MMI System Authority Handling.
• log type
• username
• the date and time of the session
• the connection type: direct or remote
• the unit name of the network element
• the process ID: the service terminal ID
• the session type: the start or stop of the session
• the operations carried out over the service terminal sessions: opening or closing a
session, the command executions and the parameters given in the service terminal
g There are more than one service terminal command log generated during one day. In
order to distinguish the different log files, the .XML file extension is not given in the log
path.
For both local and remote service terminal sessions, the service terminal command log is
collected.
The feature of collecting the service terminal command log can be disabled by only
authorised operators. Contact Customer Service Center to perform this operation.
• username
• network element name
• the start date and time of the session
• the operations carried out over the FTP connections: opening or closing the
connections, renaming files, getting the file from the server and storing the file into
the server, etc
• the FTP commands given in the sessions
• IP address of the client
• username
• Session log
The SESSION.XML file records the information of the sessions carried over HTTP(S)
in the network element.
The log includes the following information:
– network element name
– the file name of the log
– the log type
– the creating time of the log
– the username
– session ID
– the start date and time of the session
– the operations carried out over the HTTP connections: session requests, session
request results, session request failure reasons, etc
– the entry types of the log: NORMAL, NOTICE, DISTURBANCE, ERROR and
FATAL_ERROR
– the IP address of the client
The default path to the log is:
OMU:/WEBFIL/SESSION.XML
This is the path in active software packet directory.
• Error log
The DXHERR.XML file records the printouts of the failed operations carried over
HTTP(S) connection in the network element.
The log includes the following information:
– network element name
– the file name of the log
– the log type
– the creating time of the log
The HTTP(S) log files are maintained by the Network Element Web Manager. The Web
Manager user menu contains a list of the different logs with HTML links to them. The
logs are stored on network element disks.
When you select an HTTP(S) log file, it opens automatically in a window. You can save
the log file on your local workstation in XML format. You can select more than one log file
and save them all in one file. In this case, the HTTP(S) log files are automatically
compressed into a ZIP file.
g There is no IP address recorded in the login delay logs for the ST session.
• network access
It includes the username, the network element name, the terminal name, the login
date and time, the information about the attempts to access the network element, the
connection types are FTP, SFTP, and HTTP, (for example, the IP address if the
session is established over IP)
• SSH session
It includes the information of the username, the time and date of the session, the
start/stop information, the access status, and the connection address of the remote
host (for example, the IP address).
The security reporting system collects the security-related data, prepares the reports,
and manages the reporting function. When the system starts up for the first time, the
security reporting log is automatically created and stored in the disk. The system records
the information in the created log every time when there is session connected or
operation performed. You cannot modify or configure the log.
A periodical security counter indicates the number of events collected since the periodic
security counter report was last printed out. These counters are reset automatically when
the periodic security counter report is put out.
A long-term counter contains the number of events collected since the long-term
counters were last reset. Long-term counters help you to define reasonable critical limits
for security counters. They also help you to see if the situation shown by periodical
counters has suddenly changed drastically compared to the situation shown by long-term
counters. Unlike periodical counters, long-term counters are not reset when the periodic
security counter report is output. You can reset them with command IRR.
To access the security reporting log, enter command group IR.
The default path to the log is:
OMU:/LFILES/LETTERGX.XML
This is the path in active software packet directory.
Some of the MML commands are monitored automatically and others can be set to be
monitored manually. Monitoring means that security reporting is informed every time the
command is used. If you want to set a single MML command to be monitored, you can
do it with command IAM.
Outputting a detailed report is important at least when a critical limit has been reached.
The detailed report enables you to find out the reason for the excessive number of
events.
• the third occurrence of consecutively failed login attempts that came from the same
source
• all failed login attempts in which the user name is different from the previous one
used in the same source
• a successful login made after the failed ones
• the address of the source where the login attempts were made
For PAD and ISO VT connections, the address information is ‘unidentified’, but the name
of the protocol is shown.
• Do not set the user authority of virtual terminals so high that normal operations
cannot be carried out via the MML terminal.
• Ensure that the connection between the network element and LDAP has been
protected, for example with the IPSec protocol.
Interface Recommendation
MMI over Telnet in OMU Consider applying the MMI over SSH server interface
instead of the default MMI over Telnet interface.
If MMI over SSH is used, the MMI over Telnet interface
can be disabled.
FTP server interface in OMU Consider applying the SFTP Server interface instead
(MSS/MSC’s CHU or SGSN’s of the default FTP server interface.
MCHU)
If SFTP Server is used, the FTP server interface can
be disabled.
Interface Recommendation
Interface Recommendation
VPP-over-Telnet server interface Virtual printers are used to direct data from the system
in OMU to a printer using a virtual printer driver and POSIX
printer services.
Consider disabling this interface, if it is not used.
t In some products, the User Account Policy feature is optional. In such cases, the
feature has to be activated first.
If the feature is not optional in the network element software, you can skip the first two
steps.
2 Check that the user account policy feature has been activated successfully
ZWOS:58,0001:;
g To create an administrative profile, the Feature 31391: User Account Policy must be
activated.
By default, the FTP authority is disabled (defined as "NO"). If needed, you can
enable the FTP authority in the MML profile:
• FTP=W (access with read and write permissions)
• FTP=R (access with read permission)
Further information
Existing profiles can be deleted with command IAR, if they have not been attached to
any user ID.
t The password defined for the user ID must not be longer than 15 characters although
16 characters can be given in the command.
Further information
The FTAM user profile and access right can be removed with command IOR.
When the entire user profile of user is deleted, the MMI user account remains in the
system, but when a local MMI user account is deleted, the system automatically deletes
its FTAM profile.
t In some products, the Password Policy feature is optional. In such cases, the feature
has to be activated first.
If the feature is not optional in the network element software, you can skip the first two
steps.
t In some products, the User Account Policy feature is optional. In such cases, the
feature has to be activated first.
If the feature is not optional in the network element software, you can skip the first two
steps.
2 Check that the user account policy feature has been activated successfully
ZWOS:58,0001:;
t When Centralized User Authentication and Authorization (CUAA) has been configured
to be active, the user does not have to do anything in the network element. CUAA
simply enables the usage of O&M user accounts that have been defined in NetAct's
LDAP server.
1 Set a NE account
ZIAY:<NE account username>:;
2 Configure the LDAP client for centralized user authentication and authorization
ZIAJ:STATE=ON:TYPE=[PRI | SEC]: [IPV4=<IP address version 4>]
| [IPV6=<IP address version 6], PORT=<port
number>:[SSL=OFF|FOR|CON]:<dn path>;
Where
Example:
ZIAJ
:STATE=ON:TYPE=PRI:IPV4=”10.102.39.58”,PORT=389:SSL=CON:”CN=DX
,OU=LDAPCONFDATA,OU=RUIM,OU=REGION,OU=REGIONS,OU=NETACT,DC=NOK
LAB,DC=NET”;
t When using an SSL connection, you have to configure the required certificates and a
related private key. For instructions, see section
Configuring SSL/TLS authentication proxy.
COMMAND EXECUTED
2 Create a subdirectory
The physical file has to be stored to the MMDIRE/MLOGS directory.
ZIWL::WS:MMDIRE:MLOGS,100,2,QA;
COMMAND EXECUTED
5 If needed, change the FTP privileges of the user profile as Read, Write or No
Access.
t Before HTTPS can be used, network element end-entity certificate, private key related
to it and trusted CA certificate must have been added to the network element key
storage (with the commands of the Q4 command group) and enabled for OMU
functional unit in SSL/TLS layer configurations (with the commands of the I3 command
group). For more information, see section Configuring SSL/TLS authentication proxy.
g The parameter HTTPS is visible only if the feature HTTPS WEBGUI is in use.
The status of the command execution is displayed in the execution printout.
t If needed, the HTTP server can be enabled again with the following command:
ZI2C:PROTOCOL=HTTP:IPV4STATE=ON:IPV6STATE=OFF;
t Before XOHS can be used, network element end-entity certificate, private key related to
it and trusted CA certificate must have been added to the network element key storage
(with the commands of the Q4 command group) and enabled for the OMU functional
unit in SSL/TLS layer configurations (with the commands of the I3 command group).
For more information, see section Configuring SSL/TLS authentication proxy.
g The parameter XOHS is visible only if the feature HTTPS SOAP REQUEST is in use.
The status of the command execution is displayed in the execution printout.
t If needed, XOH server can be enabled again with the following command:
ZI2C:PROTOCOL=XOH:IPV4STATE=ON:IPV6STATE=OFF;
1 Activate HTTPS_XOH_INTERFACES
ZWOA:058,0007,A;
If the network element FIFILE does not contain XOH HTTPS feature, the network
element prints out:
PARAMETER NOT FOUND FROM PARAMETER FILES
Network security-related X.509v3 PKI certificates are operator-specific and are provided
by the operator’s certificate issuer. Therefore, the SSL/TLS server and client interfaces of
a functional unit do not, by default, apply any certificates to their SSL/TLS connections.
Above presented means that by default, without below described operator specific
certificate configuration operations, functional unit does not authenticate remote
SSL/TLS peers to the extent required to guarantee network-level security.
2 Transfer the network element’s own end-entity certificate to the hard drive
The certificate is in the straight DER (ASN.1) format, not, for example, in the
PKCS#7-enveloped format.
In this example, the certificate is stored to the active software packet directory with
filename OWNCERT.BIN.
3 Transfer the network element’s own RSA or DSA private key to the hard drive
The private key is a PKCS#1 (RSA or DSA) private key in the DER-encoded (ASN.1)
binary format. It is needed for the network element’s end-entity certificate.
In this example, the private key is stored to the active software package directory on
the hard drive of the OMU with filename OWNPRIV.BIN
4 Configure the trusted CA certificate from the hard drive to the key storage
ZQ4A:CACERT,C:F,”W0-CACERT.BIN”:;
The trusted CA certificate is stored to the network element’s internal key storage with
name CACERT.
ZMD:W0-CACERT.BIN
ZE
6 Configure the end-entity certificate from the hard drive to the key storage
ZQ4A:OWNCERT,C:F,”W0-OWNCERT.BIN”:;
The end-entity certificate is stored to the network element's internal key storage with
name OWNCERT.
8 Configure the private key of the end-entity certificate from the hard drive to the
key storage
ZQ4A:OWNPRIV,P:F,”W0-OWNPRIV.BIN”:;
The private key is stored to the network element’s internal key storage with name
OWNPRIV.
9 Remove the private key of the end-entity certificate from the hard drive
ZDDS:;
ZLP:M,MAS
ZMD:W0-OWNPRIV.BIN
ZE
10 Assign the SSL/TLS server and client interfaces to apply the configured
certificates to SSL/TLS-based connections
ZI3C:OMU:OWNCERT,OWNPRIV:CACERT:;
After this, the OMU applies the configured certificates to all SSL/TLS connections:
• In an SSL/TLS handshake, the SSL/TLS server and client interfaces verify that a
remote peer end-entity certificate is issued and digitally signed by the same
certificate issuer's CA certificate that has been configured as trusted.
• The OMU checks that the validity time in the remote peer certificate is correct.
This is done by comparing the 'not before' and 'not after' parameters in the
certificate to the calendar time of the system.
• The OMU includes its end-entity certificate and the trusted-certificate-issuer
certificate in the SSL/TLS server-and-client hello message in an SSL/TLS
handshake. This makes it possible for the remote peer (server or client) to
authenticate the OMU end-entity certificate in the same way as the OMU
authenticates the remote peer's certificate.
The SSL/TLS-level authentication functionalities do not include certificate revocation-
related functionalities.
ZI2S
:IPV4STATE=ON,IPV4PORT=22:IPV6STATE=OFF:RSAKEY=PRIKEYNM01,DSAK
EY=PRIKEYNM02:60:;
The status of the command execution is shown in the execution printout.
If the configuration cannot be changed, the failed cases are listed. The execution
printout shows the session type, protocol, computer unit, and the status of the
operation. For example:
SSH OMU
IPV4 TIME LIMIT EXCEEDED IN MESSAGE WAITING
IPV6 TIME LIMIT EXCEEDED IN MESSAGE WAITING
COMMAND EXECUTED
• Feature code 1057 provides the capability to configure IPSec VPNs to OMU, Open
TAS and MSS/MSC CHU, Open TAS and MSS/MSC STU, HLR EMU, HLR EIRU
and SGSN MCHU functional units.
• Feature code 1058 provides the capability to configure IPSec VPNs to the other
functional units of Open TAS, MSS/MSC, HLR, SGSN and MME, excluding user
plane termination units, for example, SGSN IOCP unit.
g Activating both feature codes 1057 and 1058 provides the capability to configure IPSec
VPNs to all functional units. For BSC products, only feature code 1057 is supported and
the capability to configure IPSec VPNs is only for OMU.
The following examples show how to configure in-host IP ACL filtering and IPSec VPNs
for OMUs of network elements. The examples present the configurations on Operability
Administration and Maintenance (OAM) IP-based network interfaces between OMU and
network management site. For other functional units, the corresponding configuration
logic can be applied to the interfaces, such as the charging interfaces of MSS/MSC, and
the Lawful Interception (LI) interfaces of MSS/MSC, SGSN and MME.
2.11.1 Configuring IPSec VPNs for OMU with IKE pre-shared key-
based VPN authentication
Purpose
See Figure 7: Configuring network element IPSec with IKE pre-shared key-based VPN
authentication, IPSec protection is configured for O&M traffic in network element A1. The
same procedure applies to network elements B1 and B2.
Figure 7 Configuring network element IPSec with IKE pre-shared key-based VPN
authentication
Site A SiteB
NE A1 M-planebackbone NEB1
(e.g.10.0.0.0/24)
OMUIP address OMUIP address
10.0.0.9/24 10.0.0.11/24
NEB2
OMUIP address
VPN-GWWANsideIP address
10.0.0.13/24
10.0.0.8/24
VPN-GW(cluster)
NMSSite
Trustednetwork
domain
192.168.8.0/24
Network
management
(NetAct)servers
On site B (remote site), IPSec VPNs are terminated in the same functional unit which
terminates the IP connections.
On the NMS site, IPSec VPNs are terminated in the VPN GW cluster. There is no IPSec
protection within the NMS site, because the site-internal network is considered trusted.
t Figure 7: Configuring network element IPSec with IKE pre-shared key-based VPN
authentication shows the basic principles of the IPSec configuration logic, but the
details may vary in different network environments, depending, for example, on the
network topology and VPN GW type.
When the rule has been detached from OMU, it accepts only IPSec VPN
connections originating from network 192.168.8.0/24 and delivered through VPN-GW
at IP address 10.0.0.8.
The MMI over Telnet O&M connection is unavailable until the corresponding ESP in
transport mode policies have been configured in the NMS site VPN-GW.
COMPUTER UNIT:............OMU
CA DEFINITION SET:.....CA1
PUBLIC KEY:...............
PRIVATE KEY:..............
PUBLIC INTERFACE:.........
PRIVATE INTERFACE:........
CERTIFICATE EXPIRE SET:...
RULES:.................PASSIKEV4
ESPCA
PASSV4
COMMAND EXECUTED
j) Detach rule PASSV4 from OMU.
ZQ2R:OMU::PASSV4;
When rule PASSV4 has been detached from OMU, the unit accepts only ESP-
encapsulated traffic originated from IP address 192.168.8.10 and encapsulated
by the VPN GW (address 10.0.0.8).
This OMU Ethernet interface can now be connected to the management plane
network so that OMU can obtain the CA certificate from the network
management site.
The MMI over Telnet traffic from an IP address other than 192.168.8.10 is
discarded. The following MML commands can be given locally from the VIMMLA
service terminal extension in OMU, or remotely from the network management
site IP address 192.168.8.10.
k) Configure the trusted CA certificate in the network element-internal key storage
by fetching it from the CA entity LDAP server.
ZQ2F:OMU:CA1CERT:C,”CN=CA1,O=Operator,C=FI”:;
l) Add the CA certificate CA1CERT to the CA definition set CA1.
ZQ2Y:CA1:ADDCA:CA1CERT:;
COMMAND EXECUTED
ZQ2C:PASSIKEV4,P,BOTH:UDP,”0.0.0.0/0”,500:”0.0.0.0/0”,500:;
Create a host-to-network-style IPSec VPN rule, which applies ESP encapsulation
in tunnel mode to all IPv4 traffic between OMU and the IP addresses on the
network management site.
ZQ2C
:ESPNMS,I,TN,"10.0.0.9","10.0.0.8":"192.16.8.8.0/24":2,2,,1
,1,,RSS: E,,,1,1:;
COMPUTER UNIT:...............OMU
CA DEFINITION SET:........CA1
PUBLIC KEY:...............OWNCERT
PRIVATE KEY:..............OWNPRIV
PUBLIC INTERFACE:.........
PRIVATE INTERFACE:........
CERTIFICATE EXPIRE SET:...
RULES:....................(PASSV4)
PASSIKEV4
(ESPCA)
ESPNMS
f) Detach rule PASSV4 from OMU.
ZQ2R:OMU::PASSV4:;
When the rule has been detached from OMU, the unit accepts only IPSec VPN
connections originating from network 192.168.8.0/24 and delivered through VPN-
GW at IP address 10.0.0.8.
The MMI over Telnet O&M connection is unavailable until the corresponding ESP
in transport mode policies have been configured in the NMS site VPN-GW.
ZQ2G:ENROLLEXP:E:30,0:;
Output:
CONFIGURED CERTIFICATE EXPIRE SET
COMMAND EXECUTED
ZQ2Q:OMU::ADDEXP,ENROLLEXP:;
Alternatively, you can configure the network element to raise an alarm when it
detects that the certificate is expiring within a short period of time.
In this case, you can use the same watchdog that was created to supervise the
validity of the CA certificate.
ZQ2Q:OMU::ADDEXP,ALARMEXP:;
Further information
The maximum number of trusted CA certificates per OMU is five.
If you want to remove a certificate from the list, give the following command:
ZQ2Y:<name of definition set>:REMCA: <name of certificate>:;
If you want to add a certificate to the list, give the following command:
ZQ2Y:<name of definition set>:ADDCA: <name of certificate>:;
g All remote connections to the MMI system are routed through the virtual terminal (VT). If
the VT has a super terminal profile, all remotely connected users who log in through
Telnet/SSH get super user rights as terminal authority 251 runs over their profile-
defined user rights.
If super terminal rights are needed, add the super terminal profile only to the VDUs.
If the terminal has special authority, go to step Change the terminal's authority
rights..
If the terminal does not have special authority, go to step Report the trouble if
necessary..
3 Perform OMU restart after all the files have been restored.
OMU restart is needed to make the changes in the previous step take effect.
3 Perform OMU restart after all the files have been restored.
OMU restart is needed to make the changes in the previous step take effect.
1 Check whether there are user IDs or terminals attached to the profile.
If you cannot delete a profile as long as it is attached to any user ID or terminal,
interrogate which user IDs or terminals are attached to the profile which you want to
delete, give the following commands:
ZIAI:USERID=ALL:COM;
ZIAI:TERMINAL=ALL:COM;
If there are terminals attached to the profile in question, go to step Attach the non-
equipped terminals to the common profile..
If there are user IDs attached to the profile, go to step Attach the user IDs to another
profile..
1 Check that FTP access rights have been defined in the user profile.
Check that the user has a user profile with FTP access rights.
• User with local user account:
a) Check MMI profile of local user account which is used to establish a
connection to the network element.
ZIAI:USERID=<username>:COM;
b) Create a local MMI profile with FTP access rights.
ZIAA:<profile>:<command class>=<authority>:::FTP=<access
right>;
c) Attach the user profile to the user ID.
ZIAE:USERID=<username>:<profile>;